PDA

View Full Version : Xbox 360 hacked


Rakeesh
03-18-06, 02:33 PM
Apparently somebody hacked the DVD drives firmware to spoof the disc type (similar to what bitsetting does for movie DVD's, only this is on the firmware side) which allows DVD-r copies of games to work. Normally the disc type is calculated as part of the signature, but since it can be faked to the original setting now, the signature remains valid, thus the copied games work. Thus naturally, they can't run arbitrary code since the signature check is still in place.

I was wondering why somebody didn't try this before. It would allow you to play copied games on xbox live without getting banned as well since the main xbox firmware hasn't been tampered with, nor has any other hardware been modified in any way.

I suppose microsoft could detect this on live by scanning the dvd drives firmware, but the data contained on the firmware itself could easily be spoofed. The other software on the xbox has to relie on whatever the firmware itself says it has. Somebody could just add code to the firmware that sends false data to external reads. All it has to do is report whatever data the console would expect it to have and then detection would become impossible.

People who would want to cheat on xbox live would be out of luck, since afterall, the signature checks are still in place.

http://www.xbox-scene.com/xbox1data/sep/EEukZpklFAhkcWwSgZ.php

Mr. Hunt
03-18-06, 06:33 PM
Wow... pretty crazy stuff.

Edge
03-18-06, 08:21 PM
Interesting. I'm sure Microsoft could find a way to prevent this in future revisions, but it's surprising this exploit was found at all. So theoretically it could get to a point where you could take the drive out of the Xbox 360, hook it up to your PC, and flash the firmware (or have a specialist shop do it for you)? Sounds like an interesting option, although I don't know how widespread it would get. Seems like it would be a little easier to do than installing a mod chip, but it also doesn't allow you to do as much since right now all it can do is play copies of games.

Rakeesh
03-19-06, 01:37 AM
Interesting. I'm sure Microsoft could find a way to prevent this in future revisions, but it's surprising this exploit was found at all.

I wasn't really surprised by it. If you just look at the signature verification system, it would be pretty easy to deduce that this is a viable approach. The reason signed binaries run on one medium and not another is because the medium type is calculated into the signature. That is why you can't just copy a game to a DVD-r. So you just work around that by removing the DVD drives ability to determine what type of medium is in the drive.

Microsoft could work around this by encrypting the DVD drives firmware somehow in future revisions of the xbox, but with current versions of the xbox, they won't ever be able to seal off this exploit.

msxyz
03-19-06, 04:01 AM
If you read further, they explain the method used to hack the firmware which requires removing the flash chip, reading the key and then reprogramming it with a dedicated hack and putting it back on place.

Some DVD drives allow their firmware to be upgraded directly through the drive, but it seems that this is not the case, otherwise anyone with a S-ATA motherboard could run a small ad-hoc program to "unlock" the Xbox360 drive. Similary, Microsoft could introduce a check routine in the machine BIOS to see if the drive retains its original, unaltered firmware and locking down those machines which has been hacked.

Badboy_12345
03-19-06, 07:07 AM
Microsoft could introduce a check routine in the machine BIOS to see if the drive retains its original, unaltered firmware and locking down those machines which has been hacked.

...

I suppose microsoft could detect this on live by scanning the dvd drives firmware, but the data contained on the firmware itself could easily be spoofed. The other software on the xbox has to relie on whatever the firmware itself says it has. Somebody could just add code to the firmware that sends false data to external reads. All it has to do is report whatever data the console would expect it to have and then detection would become impossible.

H3avyM3tal
03-19-06, 07:21 AM
Not really surprising. It was expected, though it would be hard to do it on your own, unless the user is really good in these things. I wonder when it will become easier, since it's only the first hack they came up with.

Rakeesh
03-20-06, 12:20 PM
If you read further, they explain the method used to hack the firmware which requires removing the flash chip, reading the key and then reprogramming it with a dedicated hack and putting it back on place.

Yeah...I think I speak for everybody when I say we did read it further. This is a common thing among all hardware based attacks. The first xbox hacks were like this, and hacks on other embedded devices (such as my tivo) work this way.

If soldering isn't your thing, it could be possible to enable in circuit programming of the flash chip with a small modification without the need of extensive soldering. Or to even further that, you could make a "mod chip" by pulling the ground pin and then put a piggyback tsop in its place.

See Badboy_12345's post.

Rakeesh
03-24-06, 11:33 PM
Here are some follow-ups on this:

http://www.xbox-scene.com/xbox1data/sep/EEuklElZyFpcibJZvz.php

And it seems that they have figured out a method for writing to the firmware without physically removing the chip. It will probably involve some minor hardware modifications though as I am pretty sure that it is not in-circuit flashable in its factory state.

http://www.xbox-scene.com/xbox1data/sep/EEuklluluFrFtUsLdW.php

And also here is an interview which goes over how microsoft may go about trying to countermeasure this:

http://www.xbox-scene.com/xbox1data/sep/EEukAuAyupcCWeeywc.php

Pretty much goes along with everything I have been saying.

If the unit is in-circuit flashable in the factory state, then microsoft could always try to re-flash it, however I'll lay money on the possibility of a hardware modification that wouldn't allow writes to the firmware, but would report to the kernel that the write was successful, which would prevent microsoft from re-flashing the tsop via live or new games that come out.

Or there could be a software based modification to the firmware that would do the same thing, only require a backdoor key to be given in order to allow the write to occur successfuly, which would simultaneously disallow updates from microsoft while allowing the user to add their own updates willy nilly without adding a switch or otherwise having to tinker with the hardware more than once.